Terms of Reference – Identity Verification Services Act 2023 Reviews

National security
Publication date
Download
Terms of Reference – Identity Verification Services Act 2023 Reviews [PDF 278.9 KB]
Terms of Reference – Identity Verification Services Act 2023 Reviews [DOCX 99.88 KB]

Context

The statutory reviews of the Identity Verification Services Act 2023 (Cth) (IVS Act) consist of two concurrent reviews: the Interim Review and the Act Review, both required by the IVS Act.

  • The Interim Review must consider the adequacy and operation of the privacy protections and security requirements in the IVS Act and associated instruments. It will also consider the penalties for non-compliance with obligations set out in participation agreements, including whether there is merit in developing a civil penalty framework for the IVS.
  • The Act Review must consider the operation of the IVS Act, and the provision of the IVS more broadly.

Together, these reviews aim to ensure that the Identity Verification Services (IVS) framework remains relevant, fit-or-purpose and meets public expectations, by enabling the provision of effective services that protect the safe handling of personal information.

The IVS allows for the comparison of personal information from identity documents (e.g., Australian passport, driver’s license) against Australian, state and territory government records. These services, offered by the Australian Government, provide the sole national capability for industry and government to securely and efficiently verify customer identities. The IVS Act provides the legislative basis for these operations, ensuring that the benefits of these services can be harnessed without compromising the privacy of Australians. In 2024-25, the services were used over 135 million times.

The IVS is used daily by government and industry and has become a foundational element of how identity is established, verified, and protected in Australia. It is relied upon to verify the identity of individuals when establishing a myID, which is required to securely access critical government services from agencies like Centrelink and the Australian Taxation Office. Private sector organisations also rely on the IVS to support and safeguard customer transactions and service delivery, particularly in the financial and telecommunications sectors.

The Attorney-General, as the responsible Minister, is required by section 43 of the IVS Act to commence both statutory reviews within two years of commencement of section 43, which was 14 June 2024. Therefore, the reviews must start before 14 June 2026. The reviews will be conducted concurrently.

Overarching Scope and Principles

Both reviews will assess and recommend improvements to the legal framework underpinning the administration and operation of the IVS, and to the practical implementation of the services. Key areas of consideration include:

  • What role does the IVS play in facilitating commerce or access to services?
  • Are the objects of the IVS Act fit-for-purpose, remain relevant and meet public expectations to facilitate identity verification in a safe and secure way?
  • Has the operation of the IVS framework advanced the objects of the IVS Act and are there areas for improvement?
  • Does the IVS Act, IVS Rules, participation agreements and related documents support improved identity verification, including in a safe and secure way that protects the handling of personal information?
  • How does the operation of the IVS framework compare and interact with other existing mechanisms, including the Privacy Act 1988, Digital ID Act 2024, and other Commonwealth, state and territory legislation (e.g. anti-money laundering and counter terrorism financing, fraud, anti-corruption, and privacy legislation)?
  • Does the current operation of the statutory settings enable identity verification to benefit consumers?
  • Are the technical capabilities fit-for-purpose, remain relevant and meet public expectations?
  • Should the 2017 Intergovernmental Agreement be revised to remain relevant and ensure the secure and efficient delivery of identity verification to minimise the risk of identity fraud and theft, and protect the privacy of Australians when seeking to access government and industry services and engage with the digital economy?
  • User satisfaction with the operation of the IVS framework as a tool to securely and efficiently verify customer identity

Specific Matters to be Considered

In addition to the above matters, the reviews will specifically address the following areas:

  • Consider whether the IVS remains an effective and efficient service that meets the needs of users, including for the supply of goods and services to the community by government and industry.
  • Opportunities for the IVS to evolve to meet the emerging and future needs of users in an increasingly digital world.

  • Adequacy of the current operational framework to meet community expectations and user satisfaction as a tool for safely and securely verifying identity
  • Opportunities to streamline the legal requirements across the IVS Act, Identity Verification Services Rules 2024, participation agreements, and related documents.

  • Adequacy and operation of privacy protections in the IVS Act, including:
    • Privacy obligations for parties to participation agreements (sections 9 and 10 of the IVS Act)
    • The power under subsection 44(1A) of the IVS Act to prescribe additional privacy requirements in rules, and the content of any rules in force
    • Data breach notification requirements related to the National Driver Licence Facial Recognition Solution (NDLFRS) hosting agreement (subsections 13(3) and (4) of the IVS Act), and in relation to participation agreements (subsections 9(f)-(h))
    • Fit-for-purpose limitations on the use and disclosure of personal and protected information under the IVS Act, including the non-disclosure offence, and their effectiveness in supporting safe and secure IVS operation.

  • Adequacy and operation of security requirements in the IVS Act and agreements, including:
    • The department’s requirement to maintain the security of identification information in the NDLFRS database, including encryption (paragraph 13(4)(a))
    • The department's requirement to maintain the security of electronic communications to and from approved identity verification facilities, including encryption (subsection 25(a))
    • The department's requirement to protect information from unauthorised interference or access (subsection 25(b))

  • Adequacy and operation of penalties for non-compliance with obligations set out in participation agreements
  • Consideration of whether civil penalties should apply to non-compliance, noting the current penalty is suspension or termination of a party’s ability to request IVS (subsection 12(c)). This includes assessing the merit in developing a civil penalty framework for the IVS.

  • Adequacy of authorisations under the IVS Act to facilitate effective measures that support individuals, government, and businesses in addressing and mitigating risks associated with identity crime, fraud and misuse. This includes consideration of the Credential Protection Register, and for protecting shielded persons and associated persons.

Conduct and outcomes of the Reviews

Commencement and Conclusion

The statutory reviews must commence by 14 June 2026 and are scheduled to conclude on or before 14 June 2027.

Consultation

Both statutory reviews will be informed by a single evidence‑gathering and consultation process. This will include inviting submissions, meeting with stakeholders on specific issues, and consulting with a range of relevant parties.

Reporting

Upon completion, the report will be provided to the Attorney-General. Pursuant to subsection 43(3) of the Act, the Attorney-General must cause a copy of the report to be tabled in each House of Parliament within 15 sitting days of receiving it.

Related links

Statutory reviews of the Identity Verification Services Act 2023